javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-useStrategy-method

profile photo of returntocorpreturntocorp
Author
490
Download Count*
LGPL Commons Clause
License

If the $translateSanitization.useStrategy is set to null or blank this can be dangerous.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detect-angular-translateprovider-useStrategy-method
    patterns:
      - pattern: |
          $translateSanitization.useStrategy();
      - pattern-inside: |
          app.controller(..., function($scope,$sce){
          ...
          });
    message: If the $translateSanitization.useStrategy is set to null or blank this
      can be dangerous.
    languages:
      - javascript
    severity: WARNING
    metadata:
      references:
        - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl
        - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
      category: security
      technology:
        - angular
        - typescript
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

detect-third-party-angular-translate.js

var app = angular.module('MyApp', []);
app.controller('myCtrl', function($scope, $sce) {
    // ruleid: detect-angular-translateprovider-useStrategy-method
    $translateSanitization.useStrategy();
    var output = 'Hallo <b>{{name}}</b>';
    // ruleid:detect-angular-translateprovider-translations-method
    $translateProvider.translations('de', {output});
    // ruleid:detect-angular-translateprovider-translations-method
    $translateProvider.translations('de', {GREETING: 'Hallo <b>{{name}}</b>'});

});